b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n                 OIG REPORT TO OMB ON THE\n           NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                    COMPLIANCE WITH THE\n               FEDERAL INFORMATION SECURITY\n                     MANAGEMENT ACT\n                            2007\n             Report #OIG-07-08       September 12, 2007\n\n\n\n\n                         William A. DeSarno\n                          Inspector General\n\n\n    Released by:                       Auditor-in-Charge:\n\n\n\n\n    James Hagen                       W. Marvin Stith, CISA\n    Asst IG for Audits                Sr Information Technology Auditor\n\x0c         OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH\n                          THE FEDERAL INFORMATION SECURITY ACT \xe2\x80\x93 2007\n                                       Report #OIG-07-08\n\n\n                                            CONTENTS\n\n\n\n\nSection                                                                                    Page\n\n    I        EXECUTIVE SUMMARY                                                               1\n\n    II       OFFICE OF MANAGEMENT & BUDGET REPORT FORMAT                                     2\n\nAppendix\n   A     Independent Evaluation of the NCUA Information Security Program \xe2\x80\x93 2007\n\n    B        NCUA Financial Statement Audits \xe2\x80\x93 FY2006\n\n\nSection II and Appendix B are limited to restricted official use only.\n\nAppendix A is Audit Report OIG-07-09 dated September 12, 2007.\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2007\n                                      Report #OIG-07-08\n\n                               I. EXECUTIVE SUMMARY\nThe Office of Inspector General (OIG) for the National Credit Union Administration (NCUA)\nengaged Grant Thornton LLP to independently evaluate its information systems and security\nprogram and controls for compliance with the Federal Information Security Management Act\n(FISMA), Title III of the E-Government Act of 2002.\n\nGrant Thornton evaluated NCUA\xe2\x80\x99s security program through interviews, documentation reviews,\ntechnical configuration reviews, social engineering testing, and sample testing. We evaluated\nNCUA against standards and requirements for federal government agencies such as those\nprovided through FISMA, National Institute of Standards and Technology (NIST) Special\nPublications (SPs), and Office of Management and Budget (OMB) memorandums. We\nconducted an exit conference with NCUA on June 29, 2007, to discuss evaluation results.\n\nThe NCUA made noticeable progress in strengthening its Information Technology (IT) security\nprogram during Fiscal Year (FY) 2007. Notable accomplishments include:\n\n       Completion of Certification and Accreditation packages for all of its FISMA systems.\n       Implementation of additional encryption protection for data on examiner laptops.\n\nWhile NCUA made commendable progress in addressing the deficiencies reported last year,\nmanagement could still improve IT security controls in the following areas:\n\n       NCUA needs a better document management program.\n\n       NCUA has not implemented continuing education requirements for its Information\n       Technology employees.\n\n       Employee enter/exit/change procedures do not ensure timely removal of terminated\n       employees\xe2\x80\x99 access to NCUA systems.\n\n       E-Authentication risk assessments for its systems need to be completed.\n\n       A formal agency-wide security configuration guide should be developed.\n\n       Incident response procedures should be followed.\n\n       Personnel security awareness training needs to be completed in FY 2007.\n\n       NCUA\xe2\x80\x99s Plan of Actions and Milestones (POA&M) process needs improvement.\n\n       Security controls testing for all of NCUA\xe2\x80\x99s FISMA systems needs to be completed.\n\n       Segregation of duties should be maintained or compensating controls established.\n\n       NCUA vulnerability management needs improvement.\n\nWe appreciate the courtesies and cooperation provided to our auditors during this audit.\n\n.\n\n\n                                               1\n\x0c'